Automating the Creation of Valid SAMAccount Names with Ambari for PowerScale

Automating the Creation of Valid SAMAccount Names with Ambari for PowerScale

Note: This topic is part of the Using Hadoop with OneFS - PowerScale Info Hub.

It is well documented that PowerScale requires valid SAMAccount Names in Active Directory (AD) to support the Kerberization of Ambari based HDP clusters, the installation guides illustrate this behavior in detail and describe how we usually make manual modifications to AD to meet this requirement, the approach illustrated here shows how Ambari can be modified to make the required updates for us.

Review the following documents for additional details on the overall Kerberization integration.

Historically the modifications to the SAMAccount Name attribute on the Ambari UPN's has been a manual process but using a modification to the Kerberization template we can automate this process relatively easily.

The general approach used is to create a unique UPN and SAMAccount name by appending a cluster-specific suffix to each principal to facilitate multitenancy as described in the docs.

The field used in the Kerberos Wizard to do this is the Principal Suffix, this is appended to the end of all the Ambari generated Principals using the variable: -${cluster_name|toLower()}


This variable is the deployed Hortonworks Hadoop cluster name by default, it is important to note that the UPN's have no real character limit (255 characters) but SAMAccount Name does (20 characters). Since the generated user is a combination of the username of the account + suffix we have to account for this constraint when using the default value.

If the clustername is short; 3 or 4 characters as an example then the default clustername value will work fine as no principals generated will be greater than 20 characters and it will be successful. Alternatively is the clustername is long, greater than 5 characters then principals may exceed the limit and kerberization will fail. If the clustername is long, it is suggested to use a unique abbreviation to represent the clustername suffix, in this case, you can just modify the suffix variable directly before running the wizard.


clustername = HDP2 - default clustername principal suffix will be: username-hdp2 - < 20 Characters, VALID
clustername = HortonworksPROD2 - principal suffix will be: username-hortonworksprod2 - > 20 Charcters, INVALID
clustername = HortonworksPROD2 - principal suffix manually modified to hwx2: username-hwx2 - < 20 Characters, VALID

When manually overriding the default value of -${cluster_name|toLower()} you must use a unique identify and use a lowercase suffix.

example: clustername HortonworksPROD2 - modified to the hwx2


Usually, the Ambari wizard just creates a random 20 character string for the SAMAccount Name when generating the AD principals. Since it's a required field in AD and Ambari or HDP doesn't use this field a unique random name is fine, but as described in the PowerScale installation guides OneFS uses this attribute for user lookup, therefore, we need mapping rules to map PowerScale accounts to these SAMAccount Names and using a simple name the same as the UPN is the recommended approach. This is similar to the Ambari Kerberos mapping rules.

Modifications to the Ambari Kerberos configuration can remove the dependency of making manual edits to these attributes and instruct the wizard to create matching SAMAccount Names based on the UPN username.

Having validated our principal suffix will be valid, as above.

A simple modification to the Kerberos template is needed, expand the Advanced kerberos-env section in the Kerberos tab. This can be done on initial kerberization on a regeneration of principals, but once the template modifications are made they are persistent.


Find the Account Attribute Template, and add the following lines below the "servicePrincipalName": "$principal_name", line

"sAMAccountName": "$principal_primary",

The updated template, with the added attributes:


With the template additions and a valid suffix, you can complete the Kerberization wizard as normal, following the installation guides.

The wizard successfully creates the UPN and SPN's in AD:


When looking at the Ambari UPN's, we now see the SAMAccount Name attribute is consistent with the user logon name and is not a random name:



This template has no effect on the SPN's created by the wizard since PowerScale does not map these SPN's we can leave them as a random name as seen below:


Additional Steps That Must be Completed When Using This Approach:

To complete the setup with PowerScale, mapping rules need to be added to the OneFS Access Zone to map the local PowerScale service accounts to these UPN's. See this whitepaper for additional details: Isilon OneFS with Ambari Multi-Tenant Active Directory Integration Guide

This approach simplifies the Ambari Kerberos integration with PowerScale and requires less manual modifications within AD making the approach easier and less complex to complete.

Article ID: SLN319099

Last Date Modified: 07/08/2020 05:49 PM

Rate this article

Easy to understand
Was this article helpful?
0/3000 characters
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\
characters left.